1+ <# PSScriptInfo
2+
3+ .VERSION 1.0.1
4+
5+ .GUID 87079941-27c8-44b1-af29-2fb447ccb883
6+
7+ .AUTHOR @torggler
8+
9+ .PROJECTURI https://ntsystems.it/PowerShell/Test-GroupMembership
10+
11+ .TAGS ActiveDirectory
12+
13+ .EXTERNALMODULEDEPENDENCIES ActiveDirectory
14+
15+ #>
16+
17+ <#
18+ . Synopsis
19+ Test AD Group Membership for an account.
20+ . DESCRIPTION
21+ This function uses [ADSI] to test group membership based on the security token of the account.
22+ You can pipe objects of the type [Microsoft.ActiveDirectory.Management.ADAccount[]] to this function.
23+ The function writes $true or $false fore each tested object.
24+ This function makes use of Richard Muellers "PowerShell script to check group membership". Check the related Links.
25+ . EXAMPLE
26+ Get-AdUser -Filter * | .\Test-GroupMemership.ps1 -GroupName "Domain Users"
27+
28+ This example gets users from Active Directory and tests wether or not they are member of the "Domain Users" security group.
29+ . EXAMPLE
30+ Get-AdComputer -Filter * | .\Test-GroupMemership.ps1 -GroupName "Domain Computers"
31+
32+ This example gets computers from Active Directory and tests wether or not they are member of the "Domain Computers" security group.
33+ . INPUTS
34+ [Microsoft.ActiveDirectory.Management.ADAccount]
35+ You can pipe an ADAccount object, such as returned by Get-AdUser or Get-AdComputer, to Test-GroupMembership.
36+ . OUTPUTS
37+ [bool]
38+ Test-GroupMembership returns $true or $false for each tested account.
39+ . LINK
40+ http://www.ntsystems.it/page/PS-Test-GroupMembership.aspx
41+ . LINK
42+ http://gallery.technet.microsoft.com/scriptcenter/5adf9ad0-1abf-4557-85cd-657da1cc7df4
43+ #>
44+
45+ [CmdletBinding (PositionalBinding = $true )]
46+ [OutputType ([bool ])]
47+
48+ Param (
49+ # InputObject, an Object of the Type [Microsoft.ActiveDirectory.Management.ADAccount]
50+ [Parameter (Mandatory = $true ,
51+ ValueFromPipeline = $true ,
52+ Position = 1 )]
53+ [ValidateNotNull ()]
54+ [ValidateNotNullOrEmpty ()]
55+ [Microsoft.ActiveDirectory.Management.ADAccount []]
56+ $InputObject ,
57+
58+ # GroupName, the name of the Group to test
59+ [Parameter (Mandatory = $true ,
60+ ValueFromPipelineByPropertyName = $true ,
61+ Position = 0 )]
62+ [ValidateScript ({Get-ADGroup - Identity $_ - ErrorAction Stop})]
63+ $GroupName
64+ )
65+
66+ process {
67+ foreach ($Object in $InputObject ) {
68+ $GroupList = @ {}
69+
70+ # get ADSI object for user
71+ Write-Verbose " Creating ADSI Object for $ ( $Object.SamAccountName ) "
72+ $AdObject = [ADSI ]" LDAP://$ ( $Object.DistinguishedName ) "
73+
74+ # Check if security group memberships for this principal have been determined.
75+ If ($GroupList.ContainsKey ($ADObject.sAMAccountName.ToString () + " \" -eq $False )
76+ {
77+ # Memberships need to be determined for this principal. Add "pre-Windows 2000"
78+ # name to the hash table.
79+ $GroupList.Add ($ADObject.sAMAccountName.ToString () + " \" , $True )
80+
81+ # Retrieve tokenGroups attribute of principal, which is operational.
82+ $ADObject.psbase.RefreshCache (" tokenGroups"
83+ $SIDs = $ADObject.psbase.Properties.Item (" tokenGroups"
84+
85+ # Populate hash table with security group memberships.
86+ ForEach ($Value In $SIDs )
87+ {
88+ $SID = New-Object System.Security.Principal.SecurityIdentifier $Value , 0
89+
90+ if ($sid.BinaryLength -gt 16 ) {
91+ # the length is used to skip well-known SIDs that cannot be translated to NTAccount
92+ # Translate into "pre-Windows 2000" name.
93+
94+ $Group = $SID.Translate ([System.Security.Principal.NTAccount ])
95+ $GroupList.Add ($ADObject.sAMAccountName.ToString () + " \" + $Group.Value.Split (" \" 1 ], $True )
96+ }
97+ }
98+ }
99+
100+ # Check if $ADObject is a member of $GroupName.
101+ If ($GroupList.ContainsKey ($ADObject.sAMAccountName.ToString () + " \" + $GroupName )) {
102+ Write-Verbose " $ ( $Object.SamAccountName ) is member of $GroupName "
103+ Return $True
104+ } else {
105+ Write-Verbose " $ ( $Object.SamAccountName ) is not member of $GroupName "
106+ Return $False
107+ }
108+ }
109+ }
0 commit comments